Elligator: Hiding cryptographic key exchange as random noise

Known Elligator 2 Implementations

These are the implementation we know about as of 2022/06. Please contact us to have your implementation added to this list.

Complete implementations

They provide a complete implementation, suitable for key exchange.

Hash-to-Point implementations

These only implement the direct map (without necessarily exposing it), so random numbers can be mapped to curve points whose discrete logarithm is unknown (this is most useful for Password Authenticated Key Agreement).

Incomplete implementations